Buffer overflow?

Harold Gutch logix at foobar.franken.de
Fri Aug 1 17:33:16 PDT 2003


On Fri, Aug 01, 2003 at 04:49:04PM -0400, Richard Coleman wrote:
> Matthew Dillon wrote:
> >    Well, I am neutral on the topic.  I generally consider these
> >    sorts of security fixes as masking the problem rather then
> >    fixing it.  What I would like to see (and another reason for
> >    doing the VFS layer and syscall emulation) is a way to limit
> >    a program's ability to manipulate its environment to just
> >    the files that we say it can access/modify.  Also, the ability
> >    to wrap a program with another program which takes control of
> >    its syscalls (another reason for doing syscall messaging).
> >
> >    As an extreme example take a program like 'ls'.  There is
> >    no reason under the sun for the system to allow a program
> >    like 'ls' to exec(), yet nearly all UNIX systems do allow
> >    this.  You get the drift of where I'm going...
> >
> >    The key is to make this all doable in userland.  Restricting
> >    these sorts of features to the kernel greatly reduces the
> >    number of people who can potentially develop code up 
> >    related projects.
> 
> Aren't these exactly the reason that people added Mandatory Access 
> Controls (MAC)?  It sounds like you want a user space version of MAC's.
> 
> Also "systrace" does something similar.  I know that OpenBSD has this.

There is an older systrace-version for FreeBSD.  You could try
porting that to Dranonfly.  It's available from

  http://www.citi.umich.edu/u/provos/systrace/freebsd.html


bye,
  Harold





More information about the Kernel mailing list